Chris, Chuck
The short answer is: if URL's are filtered first, then the actual location
DefaultServlet will need to use is not visible in any of the html.
Only for the authenticated serves will getPathInfo() be appropriately
adjusted and then passed to DefaultServlet.
Silly question for Maurice: why are you trying to protect your images?
Do you want to stop people from ripping them off from your site?
It's not my call, but the customer's.
Maurice
Christopher Schultz wrote:
Chuck,
Caldarale, Charles R wrote:
From: Maurice Yarrow [mailto:[EMAIL PROTECTED]
Subject: Re: Tomcat Security
What I currently do is serve the static content from elsewhere,
outside the tomcat/webapps tree.
You still end up having to map the request to some resource location
on the server, and I don't see any way to prevent the end user from
manually entering the equivalent URL. You could obfuscate, but not
prevent.
There's another way to raise the barrier, but it's still not completely
impenetrable: use the referer header.
With the notable exception of Lynx, pretty much all web browsers include
the "Referer" (sic) header when making requests where sending such a
header makes sense. When an image is being loaded into a page, the
referer /should/ be set by the browser.
You can check to make sure that the referer header matches one of your
own URLs and complain if it doesn't match.
There are still ways around this (including crafting GET requests
without using a browser at all), but it can help a little bit.
Silly question for Maurice: why are you trying to protect your images?
Do you want to stop people from ripping them off from your site?
-chris
---------------------------------------------------------------------
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
